From Bugzilla: * Even with account creation disabled, users can use the WebService to create an account. We strongly advise that 2.23.x and 3.0.x users upgrade to 3.0.2 immediately. Users of CVS HEAD or 3.1.1 should upgrade to 3.1.2 immediately. This is critical if you have a "requirelogin" installation and also have the WebService enabled. Vulnerability Details ===================== Class: Unauthorized Access Versions: 2.23.3 and above. Description: Bugzilla::WebService::User::offer_account_by_email does not check the "createemailregexp" parameter, and thus allows users to create accounts who would normally be denied account creation. The "emailregexp" parameter is still checked. If you do not have the SOAP::Lite Perl module installed on your Bugzilla system, your system is not vulnerable (because the Bugzilla WebService will not be enabled). Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=395632 In our tree, this only affects 3.0.1. Please bump to 3.0.2.
Whiteboard. Maintainers already cc'ed.
Bumped to 3.0.2, removed insecure 3.0.1. Marked unstable on all arches, nothing to stabilize. webapps done here
Thanks. [noglsa] here.
